Solved

AD DNS - I can ping some ip's but not others

Posted on 2008-10-15
22
952 Views
Last Modified: 2012-05-05
I have a AD forrest with 1 Domain and 7 Subdomains.
I'm using AD integrated DNS
One of my subdomains has 2 sites
I created a OU within the subdomain that houses all of the 2nd sites servers, users etc.
I can ping servers and workstations to all domains from the 2nd site, except for a few. I don't know what's stopping me from pinging our "internet filter" from this site. I can ping something within the same IP range, like 192.168.xx.11, but not 192.168.xx.12...

0
Comment
Question by:bernardb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
22 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22724786

You can't ping by IP address?

Or is it Name Resolution that's at fault? That is, if you run "nslookup <host>" does it reply?

Can you connect to other services on the server? Anything running as TCP can be tested with telnet <servername> <port>. For example, we can test a connection to an SMTP server with "telnet server 25", or a web server with "telnet server 80". In most cases a successful connection is shown by a blank screen, anything but an error message is good :)

Chris
0
 

Author Comment

by:bernardb
ID: 22724833
Also, from all other domains, when I ping the filter I get the following
filter.domain.com

when I ping from the problem site, I get

filter.subdomain.domain.com

it should be filter.domain.com
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22724884

Does filter exist as a record in DNS in subdomain? Or does a wildcard exist (*)? Or is WINS forwarding enabled for subdomain?

I take it you get the wrong IP back in subdomain?

Chris
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:bernardb
ID: 22724923
I can't ping 192.168.xx.50 from this specific site, but I can from all other domains and sites.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22724972

Then the problem isn't DNS, it's network level. Something is blocking ICMP, you need to check any Firewalls between the client and the server, and any firewalls running on the server.

Chris
0
 

Author Comment

by:bernardb
ID: 22725175
Could the following entries block ICMP?

access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 range 8888 8889
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 range 8888 8889

it's the only entries that are associated with the problem site

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725221

No, but they don't permit it either :)

Chris
0
 

Author Comment

by:bernardb
ID: 22725255
I may have missed the following I can ping and get the following from the other sites
ping 192.168.xx.50
I get good replies and it shows up as "filter.domain.com"

when I ping from the problem site, I get
ping filter.subdomain.domain.com
I get request time outs and it shows up as "filter.subdomain.com"

it should be filter.domain.com

Make sense? Hope I'm explaining fully
0
 

Author Comment

by:bernardb
ID: 22725301
Only one firewall...a PIX with the entries shown. No firewalls on the servers or clients...

access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 range 8888 8889
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 range 8888 8889
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725316

But is the IP address returned from filter.subdomain.domain.com correct or not?

Take name resolution out and concentrate on the network layer if it is, if it's not we need to know why subdomain is giving a response for "filter".

Chris
0
 

Author Comment

by:bernardb
ID: 22725347
Yes, the IP address returned from filter.subdomain.domain.com is the correct IP.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725432

Okay, good :) I did want to be sure about that.

Can you telnet to port 8080 on the server? That will tell us if IP flows properly, if routing is correct.

Chris
0
 

Author Comment

by:bernardb
ID: 22725630
Telnet appears to fail with connection refused from all domains...I tried command line and Putty.

telnet 192.168.xx.50 8080 - connection refused, no matter what site or domain i'm trying it from

Putty, same thing...

But I can ping from the other domains and can't from this site....but telnet fails on all of them
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725683

Then TCP isn't flowing either. Tracert <ip> and see if the path looks correct?

If you have a number of firewalls inbetween the sites check the routing, check NAT and check the rule-set.

Chris
0
 

Author Comment

by:bernardb
ID: 22726139
The trace fails to this IP but not to the other. Only one firewall device...and the only connection to
10.203.xxx.50- it goes out my gateway to the service provider and then
U:\>tracert 10.203.xxx.50

Tracing route to iprism.xxxxxxx.org [10.203.xxx.50]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.xxx.1
  2    20 ms    18 ms    34 ms  h-67-100-228-74.nycmny83.covad.net [67.100.xxx.
4]
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The other trace to a server at the same location as the above appliance goes through fine.

U:\>tracert 10.203.xxx.45

Tracing route to chcsfp01.xxxxxx.org [10.203.xxx.45]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.xxx.1
  2    18 ms    19 ms    18 ms  h-67-100-228-74.nycmny83.covad.net [67.100.xxx.7
4]
  3    20 ms    19 ms    19 ms  chcsfp01.xxxxxxx.org [10.203.xxx.45]

Trace complete.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22729599

Well it's going to the same gateway, can we check on h-67-100-228-74.nycmny83.covad.net?

Chris
0
 

Author Comment

by:bernardb
ID: 22741578
Covad says they will check, but it doesn't look like them...the Covad Tech couldn't specify, but he thinks it's a DNS issue He said  because I get a successful ping and trace to a server in the same subnet and location....I stumped at the moment
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22741790

But if the IP returned is the same, or you can't ping / trace when only using IP then DNS is completely out of the window. As soon as you get the IP back DNS is finished.

Chris
0
 

Author Comment

by:bernardb
ID: 22744213
So sorry for the delayed response...
So you say because it shows "Pinging iprism.xxxxxx.xxxxxx.org [10.203.xxx.50] with 32 bytes of data:"...it eliminates DNS?


U:\>ping iprism

Pinging iprism.xxxxxx.xxxxxx.org [10.203.xxx.50] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.203.xxx.50:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22744255

If the IP is correct the DNS cannot be to blame because it's done it's job properly :)

That puts us back at troubleshooting the network level, because that shouldn't be remotely interested in the name used to access a resource.

Chris
0
 

Author Comment

by:bernardb
ID: 22745740
I will continue to troubleshoot...and keep you updated. Thanks for you help and if you can think of anything at the network level to check, I will.

Thanks again
0
 

Author Closing Comment

by:bernardb
ID: 31508941
Thank you for all of your help...The problem was my fault. The device was a internet filter located at another site. When filled out the network section, I left out a number.....I slowly went over each setting and noticed it...My apologies.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Running a 2nd company from the same location 3 69
DNS Server 7 74
Exchange OWA website Redirection 7 46
Mail Exchanger (MX) Record 5 40
Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question